It wasn't really to differentiate. It was to point out, for example, how the new breach requirements revolve around the concept of organizations reporting a breach where there is a real risk of significant harm, organizations having to make a judgment, and imposing that accountability on organizations.
I thought that term might catch people's attention if they were wondering whether they should be out there taking more risk.
No, it's that organizations should have imposed on them the requirement to evaluate the risk that is involved in the use of any information and to make appropriate decisions based on that. That's embedded in PIPEDA now, in the sections that deal with consent. There's a higher standard of consent required when you're talking about sensitive information as well as with the new breach requirements. There's a burden placed on organizations to make proper judgments as to the risk posed to consumers or customers with respect to some data that may have been leaked.